What is the CVSS score of EUVD-2026-28405?

EUVD-2026-28405 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of FreeScout are affected by EUVD-2026-28405?

FreeScout versions before 1.8.217 contain a critical account takeover vulnerability affecting all user accounts, including administrators, through non-expiring invite tokens that remain valid…. A patch is available.

FreeScout EUVD-2026-28405

| CVE-2026-41902 CRITICAL

Insufficient Session Expiration (CWE-613)

2026-05-07 GitHub_M

Information Disclosure

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

May 07, 2026 - 20:02 EUVD

Source Code Evidence Fetched

May 07, 2026 - 19:45 vuln.today

Analysis Generated

May 07, 2026 - 19:45 vuln.today

CVE Published

May 07, 2026 - 18:03 nvd

CRITICAL 9.1

DescriptionNVD

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user's password. The endpoint performs no expiration check - the hash remains valid indefinitely until consumed. Combined with realistic hash-leakage scenarios (forwarded invite emails, HTTP referrer to external CDNs on the setup page, server-side log exposure, abandoned invite emails in shared inboxes), this enables unauthenticated permanent account takeover months or years after invite issuance. If the leaked invite was sent to an admin, the takeover yields admin access. This issue has been patched in version 1.8.217.

AnalysisAI

{hash} endpoint accepts 60-character invite_hash values with no time-based expiration, remaining valid indefinitely until consumed. Attackers who obtain leaked invite links through forwarded emails, HTTP referrer logs, CDN access logs, or archived messages can set passwords for target accounts months or years post-issuance. …

RemediationAI

Within 24 hours: identify all FreeScout instances and confirm versions currently deployed; audit access logs and email forwarding records for leaked invite links. Within 7 days: upgrade all FreeScout deployments to version 1.8.217 or later; rotate passwords for all user accounts, particularly administrators; revoke all outstanding invite tokens through the application database if version 1.8.217 is unavailable. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-28405 vulnerability details – vuln.today

Back

FreeScout EUVD-2026-28405

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code